Wednesday, February 27, 2008

Vista in Shambles

Read:

http://news.bbc.co.uk/2/hi/technology/7205059.stm


Vista have a very bad track record of all Windows product. Firstly, it has a delayed release date. secondly , it is bloated and requires lots of resources just to keep it afloat and third is that is' SP 1 is taking such a long time to release and the SP 1 have been warned to be as unstable as ever according to BBC's link, which breaks softwares. Who knows how many more software would this SP 1 break ?

Service Packs , updates and patches are very very crucial and important of any software development of an enterprise scale. No one wants to leave their system unpatch and left vulnerable to attackers and bugs running all over uncheck causing destruction and trouble. For an enterprise business , an attack on a company's system can bring down millions of dollars worth because of the down time and the need to repair and fix the system.Investors may also start to lose their confidence and become doubtful of the systems the company may use.

Since Windows is a widely use operating system and Vista have been installed in many computers and many people using Vista would be affected.

From the beginning , Vista started out with a terrible performance ... I doubt how well can it go.

Microsoft is already planning for another version of Windows OS to be released. I wonder would it also end up like Vista ?

Tuesday, February 26, 2008

Fake Shareaza

Read the two following links :

http://yro.slashdot.org/yro/08/02/26/102239.shtml

http://torrentfreak.com/shareaza-imposter-lawyers-threaten-forum-080225/

It seems rather stupid for the owner of the Shareaza domain name to put the domain name into the hands of someone else. In cyber security, you do not trust anyone because anything can happen. Look what happens when you entrust someone your domain name. They make a fool out of you and turn against you. And the company that spoof off as Shareaza is totally horrendous and is worse than any word in any language or dictionary can describe. Not only does the company spoof off as Shareaza , it turned the trust against the previous owner and now threatens the forum of Shareaza just because someone calls for a DOS attack. It's not that I am downplaying a DOS attack... but I think the company that spoof off Shareaza should have approached the forum admins to request for an alert and take off that post rather than going for legal stuff first. The company really made the forum admins of the Shareaza forums look stupid by first approaching the court ... as if the forum admins are not mature enough to handle small situations like a bad comment. Does the company that spoof Shareaza have any proof other than the forum post that a DOS is coming or already happened ?

I think the company who spoof off as Shareaza should also face legal consequences for spoofing off as someone , violating GNU GPL license , defaming Shareaza through spoofing , attempting weird actions like installing some unknown toolbar and given a warning but if that company who spoof off as Shareaza continues it's outrages actions , the courts should issue a cease or desist order to the company that spoof of Shareaza and a hefty fine.

I think the company who spoof off as Shareaza is lucky not to be in my country or the offense would be far heavier if brought before the courts in my local region if found guilty of attempted conspiracy against the original Shareaza.

The actual Shareaza site is hosted with an open source community: http://shareaza.sourceforge.net/

Disclaimer: This post is my personal opinion and readers are reading at your own will. No responsibility or legal actions would be pointed at me because you are reading this at your own will.

Sunday, February 24, 2008

a rant on the grim future of tech

Whenever a new technology emerges , somehow man kind would manage to corrupt that technology to meet one's own selfish end. I foresee and dare say that the future of humanity and technology would continue to go down this corrupted road ... this road of danger and perils. Mankind have created computer virsuses and bugs , malwares , adwares , trojans .. deliberately twisting codes to create backdoor or corrupt a system... Humans have use technology to kill each other (guns , weapons , genetic alteration of viruses and bacterias or harmful substances , elcetronics ... mechanisms) and also to harm and destroy other species and creatures around us.

Mankind have always and would always corrupt new emerging technologies that may promise new hope ... turning these technologies against ourselves and others.

How pathetic human kind are. I watched an anime , Shigofumi , and one time , the main character , Fumika , sighs at how pathetic human beings are compared to those who live in the afterlife or other creatures. I would agree hands down that how pathetic human kinds are. We created encryption and other software products like firewalls and anti virus to protect ourselves , but also at the same time , traded our freedom for some jumbled up cryptic message to protect our message content (encryption) , cage ourselves in (firewall and filters) and have to constantly live with fear that someone would just break into our systems and take over.

I can foresee new exciting technologies over the horizon , coming out , but I see the other darker half of these new hopeful technologies too...

Friday, February 22, 2008

Net to Desk

I was wondering if there is such a software that could allow users to access their forums , chat rooms , blogs (blogspot.com , blogger.com , flickr ...) and emails right from a single desktop application. It would be nice if you could access all these stuff just a single desktop application rather than going to each webpage in a new window or tab. It should be able to gather all the data and tell you if there are any new messages , posts , Private / Personal Messages ... etc ... and then place them all together in a uniformed and clean format like a tree structure or table form so that you can quickly glance through all the new stuff without the hassle of logging in and opening many pages and flipping through every single stuff.

The connections on both sides can be configured for SSL encryption to if possible since security is always an issue. The ability to invoke virus scanning from your local installed anti virus would be useful which is something like Microsoft Outlook which allows plugins for anti virus to scan downloaded mails.

So all you need is one desktop application to rid the hassle of going to mulitple pages and read through the entire pile of them.

I think if it's possible , maybe it should be made to be OS independent for the software programming language like C , Java , Python ...etc .

Well.. this is just an idea...

If anyone knows of such software application that can allow you to access and manage mulitple forums , blogs , postings ...etc ... maybe you would like to place a comment containing a legit website.

Tuesday, February 19, 2008

Secure Sites and Forums

There are many cases of websites and forums being hacked , defaced , attacked , ransacked of data from database , corruption of the data ... etc. I am a member of two forums and both forums have been hacked or in the geek word , 'pwned' . I tried to suggest security reforms to the forums but they either do not have the money to implement security and are currently gathering funds or some are just down right stubborn and ignore.

Here's a warning to all website and forums owner and also some basic educational materials for these websites and forums owner to kick up their defenses and do it ASAP !

The most common way to down a website or forum is to use Distributed Denial of Service (DDoS) or if it's a smaller scale and done from a single origins point , it is called simply Denial of Service (DoS). In general , DoS and DDoS are the same except that DDoS is a wider distribution of attack consisting of harvesting the resources from multiple computers over a vast area like a network and all these computers are primed to attack at a single point of time to increase it's deadly effects. A DoS itself may just well be a single computer doing the attack. In simple , in DDoS .. you have more computers over a distributed network... DoS is simply the basic form of DDoS done without a distributed system supporting it.

The most crucial factor in DDoS that makes it deadly is timing. Timing needs to be right so that all the resources can be unleashed on the target at a single time , making a huge 'tsunami' to overwhelm the target with request of service and thus overwhelming the target with an overflood of request. One of the easiest way of DoS is by continually requesting for resources like certain webpages or files. If it is well timed and the resources is huge and all the target request for a single one resource , it would be overwhelming . There are tools to handle DDoS and a couple of open source projects do currently produce DDoS prevention tools. There are also commercial tools for DDoS prevention. A search using Google to look for DDoS protection tools would yield a number of results you may consider. If you don't have the money , head to Open Source or freeware projects.

Web hosting servers should always have Intrusion Detection System (IDS) to identify any attempts of intrusion. Although IDS detects intrusion , many may not have the capability to preven , so you would need to act and prevent yourself. Some are more advance to include prevention capabilities to automatically prevent intrusion. Snort , an open source IDS project is a widely used product that is free of charge.I am currently learning of the capabilities of Snort myself so I could use them on my own computers too.

One of the most common ways to attack is by opportunity and leaks. One of the most common things many coders may leave in their login or code structures are hard coded values. For example , you may think of hard coding some values into your webpage design for easy login access but this is a very bad idea. It is as good as leaving your key in the door knob. All it need is for someone to analyse your codes and if you leave any hard coded important values like login values nand stuff, do know that you are endangering yourself and the users.

Using default settings for your security software e.g. default router or firewall passwords shouldn't be allowed. Default passwords are one of the first few things hackers would be glad to try out since they know how careless people are when using passwords. Do not leak passwords to anyone , not even your friends, unless they are part of the administrative team for the website of forum tasked to handle maintenance.

When you are sending request data or respond data over between the user and the website's hosting servers , data are being exchanged including sensitive data like passwords and username. There are network packet analysis tools like Ethereal and Wireshark (the latest version and the renamed name of Ethereal). Ethereal/Wireshark have a simple GUI interface with manuals on how to use and all you need is simply specify a network device (LAN , Wireless...) and it would sit there and capture all data packet passed within the network and you would be surprised the amount and detail of data being captured. I was doing a test setup with a colleague when we are supposed to use Ethereal/Wireshark (legally) to test the safety of the data being passed between certain applications. Both of us opened a web based messenger and logged in and send message to each other for a while and we when back to look at the Ethereal/Wireshark. The data captured include our email address , password , username , names of the contacts in our contacts list and the chat conversation all in plain html text format. If such tools can capture web chats in nearly plain human readable format , why not for web applications like login and authentication and forum postings ?How do ou handle these sensitive data. You can use Secure Socket Layer (SSL) or Transport Layer Security (TLS) , to encrypt your data and send between each other and also to verify each other's identity if needed. There are many data on TLS and SSL available online. The problem with SSL and TLS is that you need a Certificate Authority (CA) and many companies in the CA business requires you to pay them some money to allow you to use their service and many forums and sites are either created with a constrainted budget or the creators of the site or forums may not have any knowledge into security. I hope some community or companies would be kind enough to open a sort of free CA business for others to use so to promote security. There are a couple of open source free CA software where you have to install into your server but most of the time , these personal CA are not trusted by the web browser and the web browser would prompt the user to either accept for reject the suspicious certificates and thus making your website or forum look a little bad. But if you don't mind your users being prompted by the web browser about your CA as being untrusted , you may want to convince your users to add your personal CA as a trusted one... but these are too deep into the technical end for most people.

SQL injection is bad for your database since it allows corruption of your data and there's a vast amount of data on SQL injection and even examples available on the internet. Do a simple Wikipedia or Google search and you would get the data.

The devastating effects of a hacked site is not merely just defacing your site or forums andhackers spoiling your forum or sites foundations or database. Many hackers do harvest data from your database and may implant backdoors if possible or may corrupt your websites. The most dangerous is the harvesting of data from your database if you have any. The data in the database contains personal information and these personal information can be used to drive other criminal activities like black mailing or other hackings.

Most people use the same passwords for their websites , forums , emails , Operating System login ...etc. Once you have a password leak from the harvesting of data from the compromised website or forums , these passwords can be used to unlock other of the personal stuff like emails rom those users in the database. Do alert your members to be aware of the websites and forums being hacked if it happens in an honest fashion and do tell the users to either change their passwords (not only for the websites of forums database but also for the email addresses they use to register ).

Remember , do always secure your websites and forums. The most important thing is to be alert and always know how to use security tools properly.

Saturday, February 16, 2008

MS Word 2003 and OpenOffice .. and a rant of co-existing...

I was typing my document in OpenOffice 2.0 (.odt) at since I am experimenting with Linux and I wanted to make some quick notes with graphics and stuff and the best I can get is OpenOffice. I tried to open it in MS Word 2003 in another personal computer I have running Win XP and it failed to open.

Why haven't Microsoft come out with a plugin for OpenOffice to allow opening of OpenOffice files ? Isn't it a fairly simple logic ? If you want to dominate a market , you weed out your competitors. So you would deprive others of chances... Why can't Microsoft co exist with others ? Including in terms of file format and cross platform operability , why can't Microsoft co-exist and keep denying of service with other players ?

What happen if a great and very profitable product were to be developed to work on a competitors product and it's selling so hot but of all things , it doesn't work just on Windows platform . Do you like the same thing to happen ? Do you think you can always dominate a market ?

There is always new risings everywhere. new breakthroughs , new products ... All things is impermanent and all things are subjected to changes...who knows if someone might succeed Windows and Microsoft as the next giant.

Although there are much nasty things about this software giant (Microsoft) , at least it's willing to create an MS Office 2007 to OpenOffice plugin and that's a first step of cooperation.

What I really wish is for a harmonious relationship between platforms of Microsoft , Linux , Mac , BSD , Solaris ...etc. i don't like to see them at logger heads. It's very frustrating to see wars between them. I think Microsoft should stop trying to make things difficult for Linux users and stop telling Linux off that they have violated this copyright , that patent ..this and that. Linux have much things to offer for Microsoft to learn and Microsoft can teach Linux a thing or two. If everyone were to drop all these wars and get together to brainstorm in harmony , I think technology would grow by leaps and bounds and the foundation for technology would be very stable and resiliant to malicious attacks (the technology isn't stable yet these days) .

Thursday, February 14, 2008

Internal Window like Frame ads pop up

I think everyone have made many situations where they visit websites like hotmail or microsoft or msnbc and when your mouse just runs over an ads banner or the ads maybe automatically programmed to pop up , these days they don't use a normal html windows where another mini mrowser window or another new tab is opened. I think these new ads internal frame like pop up are getting very very irritating and when I tried to click the close link on the internal frame like pop up trying to hoepfully get rid of it so it doesn't block my view of reading (yes, the pop up opens big and blocks your damn view while you are reading an article and this is what hotmail , microsoft and msnbc have so far to my observation being doing) and it's irritating. Imagine when you are reading and your mouse acidentally moused over the ads banner and caused the pop up or if the ads pop up just sprang up automatically... it's damn irritating all the time and many blocks your view of the articles you are reading. I think anti pop up makers may want to look into such internal pop ups as a new feature in their pop up and ads blocking. The most irritating part is that some close links for you to click to close the pop up just wouldn't close or the close font is sometimes too small to click.

Another thing more worrying is that the javascript or codes for doing all these pop ups or the close link may or may not contain some malicious codes , compromising your system. There are many reports and cases how malicious javascript codes are used to compromise systems and these are very wide spread and since many users are not going to look at the source codes or don't know any jaascripting , they are very likely to fall for such traps. Who knows if the close link or the pop up script including silently logging your ip address , mac address or covertly compromising or making your system silently opening a port to download some virus or trojans or worms ?

I my sound very far fetched but why not since javascrit have been used by malicious coders to infect innocent and unsuspecting users ?

It's history replaying itself with a new twist.

Friday, February 8, 2008

Encrypting Files and Hard Disk

The famous Edison Chen episode is well known in Asia. What can we do to further protect our data from leaking to hackers and malicious or nosey idiots ?

The simple answer is encryption. There are many cryptographic softwares out there with simple and intuitive user interfaces for all to use. Even a novince or a dummy in computers could use them because all you need is to specify which file or hard disk you want to encrypt and think of a password to encrypt the file and others would have a bad and hard time trying to decrypt it. Although there are crackable encryption algorithms, but there are also good encryption algorithm that would prove to be a challenge for nasties.

The below are encryption algorithm I would recommend for encrypting files:

> Blowfish 64 bits for small unimportant files and 448 bits for max protect
> AES 256 bit, Rijndael (international standards)
> PGP 1024 bits or 2048 bits for near military grade and super paranoid ones
> 3DES (Triple DES) around 100++ bits should be good
> Twofish 256 bits

The password or keys or key file made from encrypting should always be kept safe and secret because if a password or key is leaked, it could be used to decrypt your files and make it not secret any more.

For techies, another technique is to give the file name a random name without meaning so it doesn't imply anything sensitive and save the file name in a well protected encrypted file that maps the random file name to the actual meaning and name of the file. This encrypted reference file is crucial and must at all cost protect it from harm.

Below are some programs I recommend to use and these programs are not made by me !

> AxCrypt: http://www.axantum.com/AxCrypt/ (Windows only)

For non-Windows users, it would you could visit the open source software community at www.sourceforge.net and key in key words like 'encrypt file' and something similar in the search to find softwares that can run on your platform for file encryption.

For storing passwords, try out the free open source software made by the famous cryptographer Bruce Shneier and his team, the PasswordSafe: http://sourceforge.net/projects/passwordsafe/ .

For those who are determined to encrypt their entire hard disk, you can try TrueCrypt: http://sourceforge.net/projects/truecrypt/ .

I do not gaurantee anything of these softwares but merely just my opinion, so if there's anything wrong , I am not liable for any responsibility.

The best way is obviously not to put sensitive data or even have them so if there's no sensitive data, then no matter how people try to find it in your computer , they would only find common stuff around.

What if Symantec modifies and uses ClamAV engine ?

As like any computer paranoid user , I would always have an anti virus installed into my computer before I install other applications and I have always been using Symantec's Norton Anti virus. The one weak point I know of many years of using it is that it does take up a bit of processes and can be rather bloated and when I do a full hard disk scan, it takes up so much resources that I have to suspend all my activities including games and just leave it alone. I switched over to Clam AV solutions and it feels so light for my processes and when i do a full hard disk scan, I still have my games on and chat on and other applications and NetBeans IDE still running while ClamAV does it's scanning faithfully. I wonder what would happen if Symantec decides to adopt and intergrate ClamAV's engine into theirs and decides to find improvements to make a bloated Anti Virus software into something lighter. That would be good for all Symantec users if the software becomes lighter and still retails it's power to handle virus.

I think ClamAV needs to catch up on the area of auto protect which most anti virus software have already embedded this function in it's software since past.

Friday, February 1, 2008

Micorsoft + Yahoo ?

Refer to : http://news.bbc.co.uk/1/hi/business/7222114.stm

Microsoft have been dominating the tech industry for a very long time and now wants to take in Yahoo . I wonder what's happened to the world ? Trying to be the one sole Conqueror ? This comment is not applied to Just Microsoft but to other companies including Google or anyone whose trying to eat up companies just to become more powerful.

Then what would happen to smaller companies or companies and organizations that just started up ? In this way of trying to monopolize tech industry , the one getting hurt are not the bigger companies since they are all fat and well stocked up to take damages , but the ones receiving the hardest blows are smaller companies.

Schemes to help and fund smaller companies and organizations to grow are not really out of kindness but some sort of a gamble and an intent to eat them as well anyway if these companies create good products or services.

I think simply , the market is like a battle place as the Sun Tzu Art of War said. All these 'kind' schemes are just something to make use of an just another tactic to try and dominate the market. The tech industry / market / community is just like the War States in Ancient China where everyone tries to fight and become the Emporer.

It's just so irritating and tiring to always hear news of whose going to eat up who and all these stupid competition for fame and power.

No wonder humans cannot improve and evolve spiritually because they are all overly attached to the gross material. If this goes on ... no matter how go human technology is , we would further devolve further into a very sorry and pitiful lowly being if compared to other species around us.